Embed Size (px)
Citation preview
SettinganOpenVPNonLinuxandMikroTiktosecurelyaccessaweb
server
TeddyYuliswarMikroTikCertifiedTrainer#TR0442
Indonetworkers.comTrainingCenter(ITC)Jl.S.ParmanNo.189BUlakKarangUtara
Padang– WestSumatera-Indonesia
Indonetworkers.com/training
Case
1. Wewanttohaveaweb-basedapplicationthatisonaserverthatcanonlybeaccessedbyofficeemployees-ourbranchoffices(notallowedtobeaccessedpublicly)or
2. Wewanttomanageclientroutersthatdonothavepublicipviaasinglewebbasedapp
Problem
AttheHeadOfficeandBranch(both)thereisnodedicatedinternetforexample:
1. FromISPDynamicInternetIP2. UndertheNATRouter/DoesnothaveapublicIP
Whatdoweneedtosolvedthisproblem?
Whatarethesteps?
WhatisOpenVPN?
SymmetricEncryption
ExampleSymmetricEncryption
• Blowfish,AES,RC4,DES,RC5,andRC6• ThemostwidelyusednowAES-128,AES-192,andAES-256.
AsymmetricEncryption
ExampleAsymmetricEncryption
Mostareusedineverydaycommunicationchannels,especiallythroughtheInternet.Popularasymmetrickeyencryption:EIGamal,RSA,DSA,Ellipticcurvetechniques,PKCS
WhyOpenVPN?
OpenVPN PPTP L2TP/IPsec SSTP IKEv2/IPSec
Encryption 160-bit,256-bit 128-bit 256-bit 256-bit 256-bit
Security VeryhighWeak Highsecurity(might
beweakenedbyNSA) High High
SpeedFast Speedy,duetolow
encryptionMedium,duetodoubleencapsulation Fast Veryfast
Stability Verystable Verystable Stable Verystable Verystable
Compatibility
Strongdesktopsupport,butmobilecouldbeimproved.Requiresthird-partysoftware.
StrongWindowsdesktopsupport.
Multipledeviceandplatformsupport.
Windows-platform,butworksonotherLinuxdistributions.
LimitedplatformsupportbeyondWindowsandBlackberry
FinalWordMostrecommendedchoice.Fastandsecure.
NativeonWindows.Weaksecurity.Usefulforgeo-restrictedcontent.
Versatileandsecure.AdecentalternativetoOpenVPN.
FasterandmoresecurealternativetoPPTPandL2TP.
Secure,stable,andmobile-oriented.
Source:https://thebestvpn.com/pptp-l2tp-openvpn-sstp-ikev2-protocols/
OpenVPNusesSSL/TLS
SSLandTLS
• SecureSocketsLayer(SSL)andTransportLayerSecurity(TLS)SSLareuniversallyacceptedstandardsforauthenticatedandencryptedcommunicationbetweenclientsandservers.
• SSL/TLSusesacombinationofpublickeyandsymmetric-keyencryption
• OpenVPNusesSSL/TLSforPublicKeyInfrastructure,thenSSL/TLSusesAEStoencryptthepublickey,thenthepublickeyissenttotheclient
Sotheprocessis,ServerSide:1. Createpublicandprivatekeys2. PublickeyencryptionwithAES3. Encryptdatawithaprivatekey4. Makeahashwithshaormd55. SenddatainencryptedformandalsosendpublicAES
encryptedkeys,aswellasfingerprinthashes
ClientSide:1. Receivedata,publickey,fingerprinthash2. Checkdataintegritywithhashes3. Decryptionofthepublickey4. Decryptdatawithapublickeythathasbeen
decryptedinpoint35. Finish
FutureDataCommunicationisalmostcertaintouse:
1. PublicKeyInfrastructurefordataencryption2. SymmetricEncryptionTosendapublickey3. HashingforDataIntegritychecking
OpenVPNonMikroTikRouterOS
Server Client
LAN
NetworkTopology
KantorPusat
OpenVPNClient
OpenVPNClient
Internet
Internet
WebServer
Internet
OpenVPNServer
*OntheOpenVPNMikrotikservertheremustbeaPublicIPStaticorifDynamicIPEnableCloudIP
NetworkTopology
OpenVPNClient
OpenVPNClient
OpenVPNClient
Internet
Internet
WebServer+OpenVPNServer
Internet
VPS
NetworkTopology
OpenVPNClient
InternetLTE/4G
WebServer+OpenVPNServer
VPS
OpenVPNClient
InternetLTE/4G
OpenVPNClient
InternetLTE/4G
VPS
7
configurationyum update -ywget http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpmrpm -ivh epel-release-latest-7.noarch.rpm
yum install openvpn openssl
openssl dhparam -out /etc/openvpn/dh.pem 2048
openssl genrsa -out /etc/openvpn/ca.key 2048chmod 600 /etc/openvpn/ca.key
openssl req -new -key /etc/openvpn/ca.key -out /etc/openvpn/ca.csr -subj /CN=OpenVPN-CA/openssl x509 -req -in /etc/openvpn/ca.csr -out /etc/openvpn/ca.crt -signkey /etc/openvpn/ca.key -days 365echo 01 > /etc/openvpn/ca.srl
openssl genrsa -out /etc/openvpn/server.key 2048chmod 600 /etc/openvpn/server.keyopenssl req -new -key /etc/openvpn/server.key -out /etc/openvpn/server.csr -subj /CN=OpenVPN/openssl x509 -req -in /etc/openvpn/server.csr -out /etc/openvpn/server.crt -CA /etc/openvpn/ca.crt -CAkey /etc/openvpn/ca.key -days 365
openssl genrsa -out /etc/openvpn/client.key 2048chmod 600 /etc/openvpn/client.keyopenssl req -new -key /etc/openvpn/client.key -out /etc/openvpn/client.csr -subj /CN=OpenVPN-Client/openssl x509 -req -in /etc/openvpn/client.csr -out /etc/openvpn/client.crt -CA /etc/openvpn/ca.crt -CAkey /etc/openvpn/ca.key -days 36525
nano /etc/openvpn/server.conf port 1194
proto tcpdev tun1194ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crtkey /etc/openvpn/server.key # This file should be kept secretdh /etc/openvpn/dh.pem
#client-config-dir /etc/openvpn/ccdserver 10.8.0.0 255.255.255.0ifconfig-pool-persist ipp.txtclient-to-client
push "route 10.8.0.0 255.255.255.0"push "redirect-gateway def bypass-dhcp"push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"duplicate-cnkeepalive 10 120cipher AES-256-CBC
;comp-lzouser nobodygroup nobodypersist-tun
status openvpn-status.logverb 3
• systemctlenableopenvpn@server• systemctlstartopenvpn@server
**don'tforgetthefirewalldoriptablesset(accordingtoeachtaste)J
tail-f/etc/openvpn/openvpn-status.log
Demo
